windows server 2016 microsoft tech talks · pdf file• microsoft tech talks is a technical...
TRANSCRIPT
bull Microsoft Tech Talks is a Technical Community event designed to bring IT leaders in the local area together at a Microsoft facility for deep Microsoft-technology based discussions and
bull An opportunity to network and share with local Microsoft Services Professionals and other IT professionals
bull A Microsoft Services presenter delivers a technically-rich presentation covering a product product feature or service that Microsoft offers
bull Our presenters are world-class Subject Matter Experts and trusted advisors to our highly-valued customers
bull Our meetings are a great opportunity to ask the experts questions about their given field of expertise
bull Subjects vary from session to session and attempt to be at the leading edge showcasing our latest features and products available
bull These communities now collectively have over 2500 members that have joined one of the local meetup groups
bull We are constantly expanding to a region near you your friends colleagueshellip
httpakamsmtt
GROUP Join us
MTT So-Cal httpwwwmeetupcommttsocal
MTT Charlotte httpwwwmeetupcommttcharlotte
MTT Tempe httpwwwmeetupcommtttempe
MTT Nor-Cal httpwwwmeetupcommttnorcal
MTT Pac West httpwwwmeetupcommttpacwest
MTT Las Vegas httpwwwmeetupcommttlasvegas
MTT Detroit httpwwwmeetupcommttdetroit
MTT Atlanta httpwwwmeetupcomatlanta
We are on meetuphttpmeetupcommttnwa
bull Join Us
bull Join Other Groups
bull RSVP Closed does not mean Closed
Look for the Microsoft Events sign-up
link
bull We send details of other events out
bull Look out for poll Qs
bull Tell all your friends colleagues
bull Group Review
Coming UpLocal Northwest Arkansas SQL Server Users Group
If you are interested in networking with SQL Server professionals in the area join us on the second Wednesday of every month from 1130 - 1300
Sign up for meeting reminders at
httpnwarkansaspassorg
A PASSORG users group
Sponsored by Microsoft and GDH Consulting
Next Microsoft Tech Talk
bull August 28th
bull Microsoft Azure Roadmap ndash Brian Seymour and Brandon Clark
bull Introduction
bull Security Identity and Access
bull Networking
bull Management
bull Storage
bull Compute
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
We are on meetuphttpmeetupcommttnwa
bull Join Us
bull Join Other Groups
bull RSVP Closed does not mean Closed
Look for the Microsoft Events sign-up
link
bull We send details of other events out
bull Look out for poll Qs
bull Tell all your friends colleagues
bull Group Review
Coming UpLocal Northwest Arkansas SQL Server Users Group
If you are interested in networking with SQL Server professionals in the area join us on the second Wednesday of every month from 1130 - 1300
Sign up for meeting reminders at
httpnwarkansaspassorg
A PASSORG users group
Sponsored by Microsoft and GDH Consulting
Next Microsoft Tech Talk
bull August 28th
bull Microsoft Azure Roadmap ndash Brian Seymour and Brandon Clark
bull Introduction
bull Security Identity and Access
bull Networking
bull Management
bull Storage
bull Compute
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Coming UpLocal Northwest Arkansas SQL Server Users Group
If you are interested in networking with SQL Server professionals in the area join us on the second Wednesday of every month from 1130 - 1300
Sign up for meeting reminders at
httpnwarkansaspassorg
A PASSORG users group
Sponsored by Microsoft and GDH Consulting
Next Microsoft Tech Talk
bull August 28th
bull Microsoft Azure Roadmap ndash Brian Seymour and Brandon Clark
bull Introduction
bull Security Identity and Access
bull Networking
bull Management
bull Storage
bull Compute
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Next Microsoft Tech Talk
bull August 28th
bull Microsoft Azure Roadmap ndash Brian Seymour and Brandon Clark
bull Introduction
bull Security Identity and Access
bull Networking
bull Management
bull Storage
bull Compute
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
bull Introduction
bull Security Identity and Access
bull Networking
bull Management
bull Storage
bull Compute
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
bull Windows Server 2012 R2 licensing is processor-based
bull Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
bull Core-based licensing model
bull Offers consistent approach across environments
bull Enable multi-cloud scenarios
bull Improves workload portability
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
bull Shielded Virtual Machines software-defined networking
bull Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Installation Options
Desktop Experience with Full GUI
Server Core
Nano Server
Windows Container
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time CBB amp CBB-1
Monthly security and quality updates not available for CBB-2
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Supported Upgrade Pathsbull Installation
bull Migration
bull Cluster OS Rolling Upgrade
bull License Conversion (Windows Server 2016 Standard to Datacenter)
bull Upgrade
bull Recommendations for moving to Windows Server 2016
bull Windows Server Installation and Upgrade
bull Upgrade and conversion options
bull Server role upgrade and migration matrix
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Security is its own Silo with a new Focus
Applied ldquoAssume breachrdquo to new Security Designs with the focus to
bull Protect
bull Detect
bull Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Device Guard (VBS)bull Hypervisor protects Kernel and OS
bull UEFI Secure Boot protects boot process and firmware from tampering
bull UEFI Secure Boot with IOMMU protects against DMA based attacks
bull Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
bull Other optional Protections
bull Secure MOR HSTI UEFI NX and SMM Mitigation
bull VBS Requirements
bull Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Credential GuardProtect stored credentials from Pass the Hash attacks
bull LSA process talks to a new component called the isolated LSA process which stores and protects secrets Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
bull Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
bull Secure Bastion Forest
bull Shadow security principal (groups) in Bastion Forest
bull Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
bull Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
bull Measured Boot
bull Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
bull Admin
bull TPMTechNet
bull Shielded VMs
bull Guarded Fabric
bull Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Microsoft Advanced Threat Analytics (ATA)Analyze Learn Detect and Alert on suspicious activities and abnormal behavior (separate product)
bull Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile
bull Advanced Threat Analytics
bull Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud Can connect to SCOM (separate product)
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Schema Version 70 through 87 New Featuresbull Windows Hello For Business (name change from ldquoMicrosoft Passport for Workrdquo)
bull ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level bull Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level bull Enable rolling of expiring NTLM secrets
bull Allow NTLM authentication when account restricted to selected devices with Authentication Policies
bull Active Directory Schema versions
bull ADFS 2016 Behavior Level
bull Passport Guide (search for schema)
Windows Server 2016 Functional Levels
Whatrsquos New for MIM 2016 SP1
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Deprecation of FRSbull New Forests will only use DFS-R
bull Existing Forests Windows Server 2016 DCs can participate in FRS
bull Best Practice to use DFS-R for SysVol Replication for performance manageability and support
Deprecation of Windows Server 2003 Functional Levelbull New Forests Windows Server 2003 Functional Levels not available
bull Existing Forests Windows Server 2016 DCs can be added if schema version updated to 87
bull Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members
Improvementsbull Elimination of rounding errors while calculating time
bull More frequent fine tuned adjustments leading to better accuracy
bull More accurate time server estimation
bull Leading to accuracy within 10rsquos of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Allow NTLM network authentication when user is restricted to selected devices with ldquoAuthentication Policiesrdquo
Requires
bull Windows Server 2016 domain FL
bull NTLM Enabled on authentication
policy
Note First generation of authentication policies blocked NTLM since they could not determine what device it comes from
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Auto-roll NTLM Secrets for Smartcard UsersPurpose Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements
bull Windows Server 2016 Domain Functional Level
bull Enabled on new domains by default Opt in for existing domains
Device requirements
bull Ability to sign on with a smart card virtual smart card or Windows Hello for Business (ie Passport for Work)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition Fingerprints etc)
Can be managed with Group Policy
Microsoft Passport Guide
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Better Sign-on to Azure AD and Office 365
Improved Sign-on Experience
Strong Authentication Options
Simpler Upgrade Deployment and Management
Conditional Access
Seamless sign-on from Windows 10 and Windows Hello
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Better Sign-On to Azure AD and Office 365
Extends hybrid identity by supporting sign-in to AD FS resources from
bull Any LDAP v3 compliant directory including AD LDS and third party directories
bull Un-trusted or partially trusted Active Directory domains and forests
Customize Sign-on Experience
Customize messages images logo and web theme per application and Create custom web themes
Strong Authentication Options
Provides more ways to authentication different types of identities and devices
Traditional Active Directory based logon options
New LDAP Directory Support
Configure Device authentication or Azure MFA as either primary or secondary
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Simpler Upgrade Deployment and ManagementWindows Server 2016 can be added to a Windows Server 2012 R2 farm in Windows Server 2012 R2 Farm mode
Upgrade the farm behavior level to 2016 and begin using the new features once all servers in farm are Windows Server 2016
AD FS administrator not required to be a local server administrator
Number of audits has been reduced from an average of 80 per logon to 3
Now can configure user certificate authentication on standard port 443
Policies are easier to configure with wizard-based management
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Conditional AccessAzure AD and Intune based conditional access policies enable scenarios and benefits such as
Enable Access only from devices that are managed andor compliant
Restrict access to corporate lsquojoinedrsquo PCrsquos (including managed devices and domain joined PCrsquos)
Require multi factor authentication for computers that are not domain joined and devices that are not compliant
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Seamless Sign-on from Windows 10 and Windows HelloDomain Join in Windows 10 has been enhanced to provide integration with Azure AD This provides the following benefits after being connected to Azure AD
bull SSO (single-sign-on) to Azure AD resources from anywhere
bull Strong authentication and convenient sign-in with Microsoft Passport and Windows Hello
AD FS in Windows Server 2016 provides the ability to extend the above benefits and device policies to on-premises resources protected by AD FS
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
bull Whats New in DNS Server in Windows Server 2016
bull DNS policy overview
bull PowerShell documentation
bull Geo-Location Based Traffic Management
bull Split-Brain DNS Deployment Using DNS Policies
bull Applying Filters on DNS Queries using DNS Policies
bull Application Load Balancing using DNS Policies
bull Intelligent DNS Responses Based on the Time of Day
bull Traffic Management with DNS Policies in Primary-
Secondary Deployment
bull Selective Recursion Control Using DNS Policies
bull Upward Referral Responses from Authoritative DNS
Servers
bull Split-Brain DNS in Active Directory Environment Using
DNS Policies
bull Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2 but still supported
Windows Server 2016 DHCP Servers
bull Will not enforce NAP Policies
bull DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
bull Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
bull Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs There is not a team name
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not
Notes
bull All team members must be identical makemodeldriverfeatures
bull No ActivePassive teaming
bull No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch including any forwarding extensions installed
Networking
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Whatrsquos New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
bull Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
PowerShell 51 (including updates to DSC - Desired State Configuration )
Console Host Update
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
PowerShell 51 Introduced
Includes new features that extend its use improve usability improve control and management of Windows
bull Engine Improvements
bull ISE improvements
bull Remote PowerShell debugging improvements
bull Desired State Configuration (DSC) improvements
bull Backward-compatible
PowerShell 51
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Console Host Improvements(ie DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30)
Use click-and-drag selection outside of Quick Edit mode
Control new features through the registry HKCUConsole
Whatrsquos New in the Console
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Data Deduplication
bull Integrated support for virtualized backup workloads and support for Nano Server
bull Major performance and scalability improvements (64TB volumes and 1TB files)
Scenario Typical Content Space Savings
User Documents Office documents photos music videos etc 30 ndash 50
Deployment Shares Software binaries cab files symbols etc 70 ndash 80
Virtualization Libraries ISOs virtual hard disk files etc 80 - 90
General File Share All of the above 50 - 60
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Resilient File System ReFs
bull Now preferred for data volumes (requires UEFI and GPT)
bull Data Integrity Resiliency Availability Speed and Efficiency Improvements
SMB 311bull Pre-Authentication Integrity
bull Encryption Performance Improvements
bull Supports rolling cluster upgrades
bull SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Resiliency Failure tolerance Storage efficiency Servers Tier
Two-way mirror 1 5000 2 Performance
Three-way mirror 2 3330 3 Performance
Dual parity 2 500 - 800 4 Capacity
Mixed 2 333 - 800 4 Capacity
Storage Spaces Direct in Windows Server 2016
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Storage Replica
Storage QoS
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Nano Server
Windows Containers
Failover Clustering
Failover Cluster Roles
Hyper-V
Remote Desktop Services
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
OverviewHeadless 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure ndash less components small attack surface
Stable ndash less patching bigger uptime when it doubt redeploy
Small ndash 180mb WIM 600mb VHDx
Ideal for scenarios such as
bull Compute host for Hyper-V VMs and Windows Containers
bull Storage cluster host for Scale-Out File Server
bull Standalone DNS server
bull Web server running IIS
bull Born in the cloud apps (Java Runtime Net Core
ASPNet Core Notejs Python Go Ruby Django
Apache PHP CoreCLR MySQL Redis Nginx etchellip)
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Role and Feature Supportbull Hyper-V including container and shielded VM support
bull Datacenter Bridging
bull Defender
bull DNS Server
bull Desired State Configuration
bull Clustering
bull IIS
bull Network Performance Diagnostics Service (NPDS)
bull System Center Virtual Machine Manager
bull Secure Startup
bull Scale out File Server including Storage Replica MPIO iSCSI initiator Data Deduplication
Not included in image separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Driver Support
Driver installation remains INF-based for Windows Server 2016
bull Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
bull Installed drivers to an offline VHD using INF via DISM
bull Online driver installation is available using PNPUTILEXE
Deploy Nano Server (Section Adding additional drivers)
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Application InstallationMSIrsquos not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server
Windows Server App (WSA) is the only supported installer available for Nano Server
bull Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
bull Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
bull Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
bull Puppet - Works on Nano with some minor changes win32ole win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Anti-malware Patching and New Releases
Antimalware options ndash Windows Defender is built in by default 3rd party products are not currently supported by Nano Server
Patching ndash Windows Update is supported 3rd party products are not supported by Nano Server
New Feature Releases
bull Follows Current Branch for Business (CBB) for new features Patching supports CBB amp CBB-1 At CBB-2 updates are not available
bull Upgrading to the next CBB requires recreating image Cannot be upgraded Releases will be available on the Volume License Center (VLSC)
Licensing Requires Data Center amp Software Assurance
TechNet Managing updates in Nano Server ndash Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface manage remotely
bull PowerShell and DSC
bull Server Manager
bull Supports PowerShell core set of cmdlets
bull Supports WMI v1 and v2 providers
bull MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Nano Server Image Builder GUI Tool
bull GUI-based with many custom settings
bull Create USB Key to detect firmware and hardware
bull Create bootable USB or ISO for deployment
bull Runs on Windows 88110
bull PowerShell Command Construction
bull Add Hardware Drivers
Download httpakamsNanoServerImageBuilder
Blog Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Third-party Hypervisor
Links for installing on VMWare
bull TechNet Wiki Nano Server Virtualization with VMWare VSphere
bull Polar Clouds Blog Nano Hyper-V in a VMWare Virtual Machine
bull Cloud base Blog Nano Server on KVM and ESXi
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Overview
Windows Containers versus Hyper-V Containers
Windows Containers
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Windows ServerShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-VSeparate kernel architecture
Isolation provided through Hyper-V
Each container is run inside of a utility (lightweight) VM
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section) Note Networking Speed critical
Cloud Witness
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
bull Clusters with all nodes in the same domainhellip
bull Clusters with nodes in different domainshellip
bull Clusters with nodes which are member servers workgroup (not domain joined)hellip
Fewer dependencies results in increased availability
bull Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Shared Virtual hard disk
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Increased Scalability
Increased Performance
bull Discrete device assignment of some PCIe hardware devices to VM
bull Host Resource Protection on host from VM activity
bull Hot add or remove of NICs on Generation 2 VMs
bull Hot add or remove of memory on Generation 2 VMs
bull Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
bull Host Resource Protection
bull Hot add and remove for network adapters and memory
bull RDMA support with switch embedded teaming
bull Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Management Improvements
Hyper-V Manager Console Improvements
bull Alternate credentials support
bull Manage earlier versions
bull Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
bull Run PowerShell commands in VM from the host directly
bull No need to configure network firewall or remote management
Hyper-V Sockets
bull Services using socket-based communication between host and VM
bull Available in native code (CC++)
TechNet
bull Hyper-V Manager Improvements
bull Integration Services
bull PowerShell Direct
bull Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016 the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
bull VM Collections ndash Allows executing tasks on a group of VMs
bull Management Collections ndash Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to clusterlog and mini-dump of log level 5
New Memory Dump ndash Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in ldquoQuarantinedrdquo state
Storage Resiliency
On storage failure the tenant VM session state is preserved VM moved to ldquoPausedCriticalrdquo state
as it waits for the storage to recover On recovery the session state is restored
TechNet
VM Compute Resiliency
bull Site Awareness
bull Node Fairness
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations ndash Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops Gen 2 VM Support and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VMrsquos to share the same physical GPU for graphics acceleration
bull OpenGL 44 and OpenCL 11 API support
bull Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
bull Up to 4k resolution support
bull Windows Server 2016 VM support
bull Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA enabling enhanced graphics performance
bull Full graphics API Support (ex DirectX OpenGL CUDA OpenCL) (depends on GPU driver)
bull Native GPU Driver Support (Intel AMD NVIDIA)
bull Maximum Performance (1 or more GPUs to 1 VM)
bull Multiuser RDSH Support Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Graphics enhancements ndash Codec investmentsNow implements full-screen AVC 444 mode
bull High quality 444 model using standard H264AVC 420 hardware decoders
bull Reduced bandwidth and better experience at higher resolutions
bull Hardware offload support
RDP AVCH264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (ldquolog on stormsrdquo)
bull RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
bull Previous OS versions a SQL cluster was recommended requiring 2 VMs
bull SQL database is still required however SQL authentication is now supported
bull Shared SQLDB connections making even smaller scale deployments more cost effective
RD Connection Broker Performance Improvements
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Multi-point Services RoleNew server role
bull Enables low-cost per seat desktop computing
bull Allows multiple users each with their own independent Windows experience to simultaneously share one computer
bull The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
bull MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
bull Enabling the Multipoint Services role also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows Windows phone Android iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Other Improvements
Personal session Desktops
Support for Generation 2 virtual machines
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Service Name Target Level
Chalk Talk - Security Active Directory Certificate Services 100
Chalk Talk - Windows Server 2012 Hyper-V 200
Chalk Talk - Windows Server 2016 Whats New 200
Premier Webcast - Windows Server 2012 R2 Failover Clustering Introduction 300
Premier Webcast - Windows Server 2012 R2 Introduction 200
Premier Webcast - Windows Server 2012 Whats New in Active Directory 300
Training Workshops Currently Available
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400
Service Name Target Level
Workshop - Windows Server Troubleshooting Windows Applications with DebugDiag - Closed Workshop 300
Workshop - Windows Server Vital Signs Advanced - Closed Workshop 200
WorkshopPLUS - Vital Signs Performance Monitoring Windows Server - Closed Workshop 300
WorkshopPLUS - Windows PowerShell Desired State Configuration - Closed Workshop 300
WorkshopPLUS - Windows PowerShell For the IT Professional - Part 1 - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Capabilities Administration and Support - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 R2 Hyper-V and Failover Cluster - Closed Workshop 300
WorkshopPLUS - Windows Server 2012 Securing Windows Server - Closed Workshop 300
WorkshopPLUS - Windows Server 2016 Hyper-V - Closed Workshop 300
WorkshopPLUS - Windows Server Group Policy Administration and Troubleshooting - Closed Workshop 300
WorkshopPLUS - Windows Server Managing and Supporting Active Directory Certificate Services - Closed Workshop 300
WorkshopPLUS - Windows Server New Features and Upgrade - Closed Workshop 300
WorkshopPLUS - Windows Server Software Defined Storage - Closed Workshop 400